Tuning the ACL User Cache (Authentication Cache)

The ACL user cache is active by default. Because
of the default size of the cache (200 entries), the ACL user cache can be
a bottleneck, or can simply not serve its purpose on a site with heavy traffic.
On a busy site, more than 200 users can hit ACL-protected resources in less
time than the lifetime of the cache entries. When this situation occurs, Proxy
Server must query the LDAP server more often to validate users, which impacts
performance.

This bottleneck can be avoided by increasing the maximum users
of the ACL cache at "Configure ACL Cache" under "Preferences" in the Admin
console.

There can also be a potential (but much harder to hit) bottleneck with
the number of groups stored in a cache entry (four by default). If a user
belongs to five groups and hits five ACLs that check for these different groups
within the ACL cache lifetime, an additional cache entry is created to hold
the additional group entry. When there are two cache entries, the entry with
the original group information is ignored.

While it would be extremely unusual to hit
this possible performance problem, the number of groups cached in a single
ACL cache entry can be tuned with "Proxy Auth Group Cache Size" at "Configure
ACL Cache" under "Preferences" in the Admin console.

The maximum age setting of the ACL cache determines the number
of seconds before the cache entries expire. Each time an entry in the cache
is referenced, its age is calculated and checked against the maximum age setting.
The entry is not used if its age is greater than or equal to the maximum age.
The default value is 120 seconds. If your LDAP is not likely to change often,
use a large number for the maximum age. However, if your LDAP entries change
often, use a smaller value. For example, when the value is 120 seconds, the
Proxy Server might be out of sync with the LDAP server for as long as two
minutes. Depending on your environment, that might or might not be a problem.